Back to MCP Servers

Aegis

Policy-based governance for AI agent tool calls. YAML policies, approval gates, risk assessment, and audit logging. Cross-platform: LangChain, OpenAI, Anthropic, MCP.

securitygoaiagent
By Acacian
104Updated 1 month agoPythonMIT

Installation

npx -y aegis

Configuration

{
  "mcpServers": {
    "aegis": {
      "command": "npx",
      "args": ["-y", "aegis"]
    }
  }
}

How to use

  1. Run the installation command above (if needed)
  2. Open your Claude Code settings file (~/.claude/settings.json)
  3. Add the configuration to the mcpServers section
  4. Restart Claude Code to apply changes
<!-- mcp-name: io.github.Acacian/aegis --> <p align="center"> <h1 align="center">Agent-Aegis</h1> <p align="center"> <strong>The governance layer for AI agents. One API, 12 frameworks, every governance primitive.</strong> </p> <p align="center"> Aegis is to agent governance what Redis is to data structures — one runtime that unifies prompt-injection blocking, PII masking, policy enforcement, trust delegation, and tamper-evident audit across every agent framework. No code changes.<br/> <code>pip install agent-aegis</code> → <code>aegis.auto_instrument()</code> → 12 frameworks are now governed. </p> </p> <p align="center"> <a href="https://github.com/Acacian/aegis/actions/workflows/ci.yml"><img src="https://github.com/Acacian/aegis/actions/workflows/ci.yml/badge.svg" alt="CI"></a> <a href="https://pypi.org/project/agent-aegis/"><img src="https://img.shields.io/pypi/v/agent-aegis?color=blue&cacheSeconds=3600" alt="PyPI"></a> <a href="https://pypi.org/project/langchain-aegis/"><img src="https://img.shields.io/pypi/v/langchain-aegis?label=langchain-aegis&color=blue&cacheSeconds=3600" alt="langchain-aegis"></a> <a href="https://pypi.org/project/agent-aegis/"><img src="https://img.shields.io/pypi/pyversions/agent-aegis?cacheSeconds=3600" alt="Python"></a> <a href="https://github.com/Acacian/aegis/blob/main/LICENSE"><img src="https://img.shields.io/badge/License-MIT-blue.svg" alt="License"></a> <a href="https://acacian.github.io/aegis/"><img src="https://img.shields.io/badge/docs-acacian.github.io%2Faegis-blue" alt="Docs"></a> <br/> <a href="https://github.com/Acacian/aegis/actions/workflows/ci.yml"><img src="https://img.shields.io/badge/tests-6300%2B_passed-brightgreen" alt="Tests"></a> <a href="https://github.com/Acacian/aegis/actions/workflows/ci.yml"><img src="https://img.shields.io/badge/coverage-92%25-brightgreen" alt="Coverage"></a> <a href="https://acacian.github.io/aegis/playground/"><img src="https://img.shields.io/badge/playground-Try_it_Live-ff6b6b" alt="Playground"></a> <a href="https://acacian.github.io/aegis/playground/scan-report.html"><img src="https://img.shields.io/badge/scan_report-39_Repos%2C_92%25_F-red" alt="Scan Report"></a> <a href="https://www.bestpractices.dev/projects/12253"><img src="https://www.bestpractices.dev/projects/12253/badge" alt="OpenSSF Best Practices"></a> </p> <p align="center"> <a href="#what-is-aegis"><strong>What is Aegis</strong></a> &bull; <a href="#primitives">Primitives</a> &bull; <a href="#frameworks">Frameworks</a> &bull; <a href="#use-cases">Use Cases</a> &bull; <a href="#30-second-start"><strong>30-Second Start</strong></a> &bull; <a href="#research">Research</a> &bull; <a href="https://acacian.github.io/aegis/">Docs</a> &bull; <a href="https://acacian.github.io/aegis/playground/"><strong>Playground</strong></a> </p> <p align="center"> <b>English</b> &bull; <a href="./README.ko.md">한국어</a> </p>
<p align="center"> <img src="docs/assets/demo.gif?v=2" alt="Aegis Demo" width="880"> </p>

What is Aegis

Every AI agent framework reinvents the same governance primitives — and each one does it slightly differently. Aegis is the abstraction layer that unifies them.

LayerWhat it doesExamples
1. PrimitivesA universal contract for every tool callAction, ActionClaim, Policy, Result, DelegationChain, AuditEvent
2. AdaptersAuto-instrument any framework through its own hooksLangChain callbacks, CrewAI BeforeToolCallHook, OpenAI Agents tracing, Google ADK BasePlugin, MCP transport, DSPy modules, httpx middleware, Playwright context
3. GovernanceDeclarative primitives you compose into policyPrompt injection / PII / leak / toxicity guardrails, RBAC, rate limit, cost budget, drift detection, anomaly scoring, trust delegation, justification gap, selection audit, Merkle audit chain
4. LifecycleOne runtime, every stage of agent opsScan → Instrument → Policy CI/CD → Runtime → Proxy → Audit
import aegis
aegis.auto_instrument()    # 12 frameworks governed. No other code changes.

Redis is to in-memory data structures what Aegis is to agent governance: one library, every primitive, every framework, one API. You don't write a LangChain guardrail and a CrewAI guardrail and an OpenAI guardrail — you write one Policy and every framework inherits it.


Primitives

The contract every adapter maps into. Framework-agnostic by design.

PrimitivePurposeModule
ActionUnified representation of any tool / LLM / HTTP / MCP call across all frameworksaegis.core.action
ActionClaimTripartite structure — Declared (agent-authored) / Assessed (Aegis-computed) / Chain (delegation)aegis.core.action_claim
PolicyDeclarative YAML rules: match → risk → approval (auto / approve / block)aegis.core.policy
ClaimPolicyPolicy layer that evaluates 6-dimensional impact vectors, not just tool namesaegis.core.claim_policy
GuardrailsDeterministic regex checks for injection, PII, prompt leak, toxicity — 2.65ms cold / <1µs warmaegis.guardrails
DelegationChainMulti-agent hand-off tracking with monotone trust constraint (non-increasing)aegis.core.agent_identity
AuditEventTamper-evident append-only log, Merkle-chained, SQLite + JSONL + webhook sinksaegis.core.merkle_audit
SelectionAuditAudits what an agent excludes, not just what it picks — detects cosmetic alignmentaegis.core.selection_audit
JustificationGap6D asymmetric scoring: agents declare impact, Aegis independently assesses, gap triggers escalationaegis.core.justification_gap
CryptoAuditChainEd25519-signed chain for long-term compliance evidenceaegis.core.crypto_audit

Every governance feature in Aegis — anomaly detection, cost budgets, drift, cascade guards, kill switches — is a composition of these primitives. Read the Concepts guide to see how they fit together.


Frameworks

One API. 12 agent frameworks + 3 protocol-level adapters.

FrameworkHookStatus
LangChainBaseChatModel.invoke/ainvoke, BaseTool.invoke/ainvokeStable
CrewAICrew.kickoff/kickoff_async, global BeforeToolCallHookStable
OpenAI Agents SDKRunner.run, Runner.run_syncStable
OpenAI APICompletions.create (chat & completions)Stable
Anthropic APIMessages.createStable
LiteLLMcompletion, acompletionStable
Google GenAIModels.generate_content (new + legacy)Stable
Google ADKBasePlugin lifecycle (tool calls, agent routing, sessions)Stable
Pydantic AIAgent.run, Agent.run_syncStable
LlamaIndexLLM.chat/achat/complete/acomplete, BaseQueryEngine.query/aqueryStable
InstructorInstructor.create, AsyncInstructor.createStable
DSPyModule.__call__, LM.forward/aforwardStable
MCPTransport-layer proxy for any MCP server (stdio / HTTP)Stable
httpxMiddleware for raw HTTP egress (REST agents, webhooks)Stable
PlaywrightBrowser context instrumentation for browsing agentsStable

auto_instrument() detects what's installed and patches only those — no hard dependencies. Custom adapters use the same BaseAdapter interface.

Default Guardrails

GuardrailDefaultWhat it catches
Prompt injectionBlock10 attack categories, 85+ patterns, multi-language (EN/KO/ZH/JA)
PII detectionWarn13 categories (email, credit card, SSN, IBAN, API keys, etc.)
Prompt leakWarnSystem prompt extraction attempts
ToxicityWarnHarmful, violent, or abusive content
MCP STDIO injectionBlockJSON-RPC injection, frame concatenation, unicode escape bypass (OX Security advisory)

Deterministic regex — no LLM calls, no network. 2.65ms cold / <1µs warm per check.


Use Cases

The same primitives, five different entry points. Pick whichever matches your workflow.

1. Runtime protection (most common)

One line. Any framework.

import aegis
aegis.auto_instrument()

Or zero code changes — AEGIS_INSTRUMENT=1 python my_agent.py. Injection blocking, PII masking, prompt-leak warnings, audit trail, and policy enforcement become active for every LangChain / CrewAI / OpenAI / Anthropic / LiteLLM / ADK / DSPy / LlamaIndex / Pydantic AI call.

Pydantic AI native capability — no monkey-patching, explicit per-agent control:

from pydantic_ai import Agent
from aegis.contrib.pydantic_ai import AegisCapability

agent = Agent(
    "openai:gpt-4o-mini",
    capabilities=[AegisCapability.default()],  # injection, PII, toxicity, prompt-leak, hallucination
)
result = await agent.run("What is AI governance?")

Full Pydantic AI integration guide →

2. Pre-production scanning

Find ungoverned AI calls before they ship.

pip install agent-aegis
aegis scan .
Aegis Governance Scan
=====================
Scanned: 47 files in ./src

Found 5 ungoverned tool call(s):
  agent.py:12   OpenAI        function call with tools= — no governance wrapper  [ASI02]
  tools.py:8    LangChain     @tool "search_db" — no policy check  [ASI02]
  llm.py:21     LiteLLM       litellm.completion() — no governance wrapper  [ASI02]
  run.py:5      subprocess    subprocess.run — direct shell execution  [ASI08]
  api.py:14     HTTP          requests.post — raw HTTP in agent code  [ASI07]

Governance Score: D (5 ungoverned call(s))

Supports --format json|sarif|suggest, --threshold A-F, .aegisscanignore, and inline # aegis: ignore pragmas. Auto-fix with aegis scan --fix.

3. Policy CI/CD

Security tools protect at runtime. Aegis also manages the policy lifecycle — the same way you test and ship code.

aegis plan current.yaml proposed.yaml --audit-db aegis_audit.db

# Policy Impact Analysis
#   Rules: 2 added, 1 removed, 3 modified
#   Impact (replayed 1,247 actions):
#     23 actions would change from AUTO → BLOCK
aegis test policy.yaml tests.yaml                      # Run in CI
aegis test policy.yaml --generate                      # Auto-generate test suite
aegis test new.yaml tests.yaml --regression old.yaml   # Regression check
# .github/workflows/policy-check.yml
- uses: Acacian/aegis@main
  with:
    policy: aegis.yaml
    tests: tests.yaml
    fail-on-regression: true

Or block ungoverned calls at PR time:

- uses: Acacian/aegis@v0.9.5
  with:
    command: scan
    fail-on-ungoverned: true

4. Audit & compliance

Every call is logged to a tamper-evident Merkle chain, with mappings to EU AI Act / NIST AI RMF / SOC2 built in.

aegis audit
  ID  Session       Action        Target   Risk      Decision    Result
  1   a1b2c3d4...   read          crm      LOW       auto        success
  2   a1b2c3d4...   bulk_update   crm      HIGH      approved    success
  3   a1b2c3d4...   delete        crm      CRITICAL  block       blocked

SQLite + JSONL + webhook sinks. Ed25519 signing for long-term evidence. See the Compliance guide.

5. Governance server (multi-agent)

Centralized governance for multiple agents. Each agent connects via SDK, server handles policy, guardrails, audit, and compliance.

pip install 'agent-aegis[server]'
aegis-server

37 REST endpoints + WebS

View source on GitHub